vaultwarden
/
goldwarden-vaultwarden-bitwarden-client
mirror of https://github.com/quexten/goldwarden.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update old cipher type warning

This commit is contained in:
Bernd Schoolmann 2024-04-30 00:48:08 +02:00
parent 8fd7c45b9b
commit fbb31a31d3
No known key found for this signature in database
1 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
agent/bitwarden/crypto/encstring.go
View File

@ -57,31 +57,37 @@ func (s *EncString) UnmarshalText(data []byte) error {
s.Type = EncStringType(t)
}
data = data[i+1:]
parts := bytes.Split(data, []byte("|"))
switch s.Type {
case AesCbc256_HmacSha256_B64:
case AesCbc128_HmacSha256_B64, AesCbc256_B64:
return errors.New("outdated cipher of type: " + strconv.Itoa(int(s.Type)) + " detected. PLEASE ROTATE YOU VAULT KEYS")
case AesCbc256_HmacSha256_B64, AesCbc128_HmacSha256_B64:
if len(parts) != 3 {
return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type)))
}
if s.IV, err = b64decode(parts[0]); err != nil {
return err
}
if s.CT, err = b64decode(parts[1]); err != nil {
return err
}
if s.MAC, err = b64decode(parts[2]); err != nil {
return err
}
case AesCbc256_B64:
if len(parts) != 2 {
return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type)))
}
if s.IV, err = b64decode(parts[0]); err != nil {
return err
}
if s.CT, err = b64decode(parts[1]); err != nil {
return err
}
default:
return errors.New("invalid cipher string type, unknown type: " + strconv.Itoa(int(s.Type)))
}
data = data[i+1:]
parts := bytes.Split(data, []byte("|"))
if len(parts) != 3 {
return errors.New("invalid cipher string format, missing parts, length: " + strconv.Itoa(len(data)) + "type: " + strconv.Itoa(int(s.Type)))
}
if s.IV, err = b64decode(parts[0]); err != nil {
return err
}
if s.CT, err = b64decode(parts[1]); err != nil {
return err
}
if s.Type.HasMAC() {
if s.MAC, err = b64decode(parts[2]); err != nil {
return err
}
}
return nil
}
@ -151,7 +157,7 @@ func DecryptWith(s EncString, key SymmetricEncryptionKey) ([]byte, error) {
return nil, fmt.Errorf("decrypt: MAC mismatch")
}
} else if s.Type == AesCbc256_B64 {
return nil, fmt.Errorf("decrypt: cipher of unsupported type %q", s.Type)
cryptoLog.Warn("WARNING: VAULT CONTAINS INSECURE AesCbc256_B64 CIPHER, PLEASE ROTATE YOUR VAULT KEYS IN THE WEB VAULT")
}
dst, err := decryptAESCBC256(s.IV, s.CT, encKeyData)